In undertaking its review of the administration of the intelligence agencies for the 2015–16 financial year, the Committee asked agencies to provide submissions addressing:
strategic direction and priorities,
legislative changes (if any) that have impacted on administration,
involvement (if any) in litigation matters,
human resource management,
changes (if any) to the structure of the organisation,
public relations and/or public reporting, and
performance management and accountability.
In their submissions, agencies outlined significant developments and relevant aspects of administration for 2015–16. Much of the evidence received was classified, however, and accordingly has not been authorised for publication. The Committee scrutinised all material provided and followed up several issues at classified hearings.
This chapter reports the Committee’s findings on administration of the agencies. In some areas the discussion is necessarily general due to security needs.
During the reporting period, the Committee conducted two inquiries into bills that affected the operations of the AIC agencies.
Following consideration of the Committee’s reports, the Parliament passed each bill with amendments. The bills received Royal Assent on the dates noted below:
Australian Citizenship Amendment (Allegiance to Australia) Bill 2015
(Royal Assent on 11 December 2015)
Counter-Terrorism Legislation Amendment Bill (No. 1) 2015
(Bill lapsed at prorogation of the 44th Parliament. Re-introduced as the Counter-Terrorism Legislation Amendment Bill (No. 1) 2016 in the 45th Parliament and received Royal Assent on 29 November 2016.)
Additionally, the implementation period for the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, which received Royal Assent in the previous reporting period, commenced on 13 October 2015.
Agencies commented on legislative changes that had impacted their administration, where applicable, in their submissions.
ASIO highlighted the following legislation and related activities:
The Australian Security Intelligence Organisation Regulation 2016, which came into effect on 1 April 2016 and included a new regulation prescribing the Department of Defence as a body with which ASIO may cooperate for the purposes of the Australian Security Intelligence Organisation Act 1979 (ASIO Act). The regulation was ‘proposed to cover any future requirement where ASIO is requested to assist the Defence, including the Australian Defence Force, for the performance of their functions’. The submission noted that ASIO’s assistance may include, but is not limited to, capability sharing such as the provision of linguistic, analytical, technical or logistical support. In supplementary evidence to the Committee, ASIO explained that the regulation provided legal certainty and would allow ASIO to cooperate with Defence on non-security related matters, such as when Defence is responding to natural disasters.
ASIO’s continued work with the Attorney-General’s Department on proposed amendments to the Telecommunications Act 1997, and related legislation, to introduce a regulatory framework to better manage national security risks to Australia’s telecommunications services and networks. Public comment on the draft Bill, Explanatory Memorandum and industry guidelines was sought between November 2015 and January 2016. The Telecommunications and Other Legislation Amendment Bill 2016 was introduced into the Senate on 9 November 2016 and reviewed by the Committee.
ASIO’s continued pursuit of amendments to state and territory legislation in relation to information privacy, consistent with the recommendations of the Joint Commonwealth–New South Wales review of the Martin Place siege.
Several agencies also commented on work undertaken with other departments and agencies during the reporting period on proposed future amendments to national security legislation. One agency continued to argue that the IS Act was ‘badly in need of review’ in order to take into account the changing environment and roles of agencies since the Act came into effect in 2001. This matter was discussed further with the agency at a private hearing.
Use of ASIO’s special powers
ASIO reports each year on its special powers under the ASIO Act and the Telecommunications (Interception and Access) Act 1979 to use specific methods of investigation, which include telecommunications interception and access; use of surveillance devices; entry and search of premises; computer access; and the examination of postal and delivery service articles. The use of these powers is subject to a warrant approval process. Warrant requests are made by the Director-General of Security, independently reviewed by the Attorney-General’s Department, and considered by the Attorney-General.
Further, the ASIO Act enables ASIO, with the Attorney-General’s consent, to seek warrants from an independent issuing authority (a federal magistrate or judge) for questioning, or questioning and detention, of individuals for investigations relating to terrorist offences.
The number of warrants approved by the Attorney-General is classified and cannot be reported by the Committee. However, following increases in 2013–14 and 2014–15, the Committee can report that there was a small reduction in the number of warrants authorised in the 2015–16 reporting period. ASIO provided more information on the types of warrants that were issued in supplementary evidence to the review.
ASIO provided advice about the number of litigation matters it was involved in during 2015–16, which included criminal prosecutions, control order proceedings, merits and judicial reviews of ASIO security assessments, and evidence to coronial inquests:
ASIO managed nine security assessment reviews by the Administrative Appeals Tribunal (AAT) and an additional 13 reviews were commenced during the reporting period. Two security assessment reviews were also commenced in the Federal Court of Australia.
ASIO gave evidence at two coronial inquests during the reporting period:
the coronial inquest into the deaths arising from the Lindt Café siege in Martin Place, presided over by the State Coroner of NSW, and
the coronial inquest into the death of Ahmed Numan Haider, presided over by the State Coroner of Victoria.
ASIO was involved in 11 national security prosecutions at the end of the reporting period.
Following questions from the Committee, ASIO provided supplementary evidence on the effectiveness of current procedures for the protection of sensitive information and sources in legal proceedings. These included the use of Attorney-General’s non-disclosure certificates at the AAT; public interest immunity claims in civil, coronial and administrative law court proceedings; and applications for closed-court and non-publication orders in terrorism prosecutions.
ASIO also reported to the Committee expenditure on litigation in the AAT and courts in 2015–16.
ASIS sought legal advice through the Australian Government Solicitor on a range of operational and non-operational matters in 2015–16 and was involved in several litigation-related matters. ASIS noted that it had provided copies of the written legal advice it received to the IGIS.
AGO and ASD advised that they were not involved in any litigation matters in 2015–16.
DIO assisted the Commonwealth Director of Public Prosecution during 2015 and 2016 with the prosecution of a former Defence employee who had removed a DIO intelligence product from a secure Defence network and subsequently posted parts of it online. DIO advised that it examined and exempted elements of ongoing national security concern from the evidence used in this case and provided affidavits to the court as an expert witness. Sentencing occurred in the ACT Supreme Court in November 2015, with the former employee sentenced to 12 months imprisonment, to be released after three months of full-time custody. DIO noted that this sentencing took place under legislation where the maximum sentence available to the Court was two years imprisonment, but under the National Security Legislation Amendment Act 2014 the maximum sentence for the offence is now 10 years imprisonment.
ONA reported that it had been involved in one matter before the AAT during the reporting period.
Strategic direction and organisational structure
The Committee requested agencies to report on their organisation’s strategic direction and priorities, as well as any changes to the structure of the organisation. A summary is provided below.
ASIO noted that its first corporate plan under the Public Governance, Performance and Accountability Act 2013 was released in July 2015. A copy of the classified Corporate Plan 2016–17 to 2019–20 was provided to the Committee. The plan ‘relates ASIO’s purpose to its activities, delivery strategy, intended results, and new performance measures’. ASIO advised that it ‘continued to refine its corporate planning approach during the reporting period’, and that it has strategic plans for its activities in countering terrorism, espionage, foreign interference and malicious insiders.
In July 2016, the Director-General of Security, Duncan Lewis AO DSC CSC, launched the ‘ASIO2020’ program. The program, which was being delivered using an ‘agile development approach’, is intended to:
‘address the most significant challenges to the Organisation’s future success’,
‘identify ways to proactively respond to the major pressures on ASIO’s business over the coming years’,
‘ensure that ASIO remains focused on work that provides clear value for the Australian Government’, and
ensure that ASIO ‘has the right culture, people and systems to effectively and efficiently achieve its purpose’.
Mr Lewis provided further information on the ASIO2020 program at a private hearing and outlined some of the key strategic challenges that ASIO is responding to.
ASIO reported that a comprehensive review of its ‘structure, resourcing and future posture’ had been completed in February 2015, with a number of structural changes arising from the review being implemented on 3 August 2015. As a result, ASIO introduced a Deputy Director-General Strategy position, which increased the number of Deputy Directors-General from two to three. Its State Manager positions in NSW and Victoria were elevated to First Assistant Director-General level, and an Executive Division First Assistant Director-General position was established. The three groups in ASIO’s organisational structure are
counter-espionage and interference (CEI), and capabilities, and
ASIO submitted that the new functional arrangements allowed for strengthened governance in relation to its high-risk counter-terrorism and counter-espionage programs, as well as ‘an enhanced focus of the Organisation’s strategy and corporate management’.
ASIS’s submission included a strategic overview from its Director-General, Nick Warner AO PSM, outlining its current challenges, priorities, financial position and outlook for the years ahead. Mr Warner expanded on the submission at a private hearing, outlining ASIS’s response to a number of changes affecting its operations and its strategic environment.
ASIS provided the Committee with a copy of its organisational structure as at 30 June 2015, which included changes, as noted in last year’s report, in relation to ASIS’s future operating model.
ONA finalised its corporate plan for 2016 to 2020 in August 2016, setting five priorities across the five years.
ONA continued to be led by its Director-General, Richard Maude, supported by two Deputy Director-Generals. ONA reported that, as at 30 June 2016, it had increased its number of branches from nine to ten, following the re-establishment of a previously abolished branch as a result of ONA’s exemption from the efficiency dividend. This included seven analytic branches, one branch responsible for coordination and evaluation, a Corporate and IT Services branch, and the Open Source Centre. ONA also maintained liaison offices in Washington and London.
At a private hearing, ONA provided an overview of its key strategic priorities and activities during the reporting period.
Defence Intelligence Agencies
The Defence Intelligence Agencies (DIAs) each outlined their strategic priorities and changes to organisational structures in their submissions.
Recommendations from the First Principles Review of Defence continued to be implemented throughout 2015–16, including the establishment of the Strategic Policy and Intelligence Group on 8 February 2016, combining Defence’s intelligence and policy functions. Defence’s Deputy Secretary Strategic Policy and Intelligence, Rebecca Skinner, is responsible for the three DIAs. The Deputy Secretary is also responsible for Defence’s strategic, international and industry policy, as well as an internal contestability function. Defence submitted that the establishment of the Strategic Policy and Intelligence Group was ‘improving policy advice and intelligence outputs through clearer accountability, direction and contestability’.
At a private hearing, Ms Skinner provided the Committee with an overview of the shifting strategic environment, technological changes and other challenges facing the Defence intelligence enterprise. She also discussed the benefits of the new structure, including that there is a larger pool of staff to draw upon within the Group, particularly in relation to analytic skills.
Defence noted that, in response to the First Principles Review, AGO had integrated the Royal Australian Navy’s Hydrography, Meteorology and Oceanography functions ‘to consolidate and improve the delivery of Defence’s geospatial services’. AGO also noted that it was planning an amendment to the IS Act, proposed to occur in 2016–17, to incorporate these functions into AGO. AGO had also ‘reached agreement to consolidate specific geospatial elements into operational intelligence support units’ in 2016‑17.
The 2016 Defence White Paper was released on 25 February 2016. The Department of Defence submitted that the White Paper
provided substantial intelligence investments—in terms of both people and capabilities. This includes increased investment to strengthen Defence’s intelligence, reconnaissance and surveillance capabilities as well as modernised, all-source intelligence systems supported by enhanced information processing capabilities.
Defence also highlighted the work of the Australian Cyber Security Centre during the reporting period, including:
a ‘significant contribution’ to the first unclassified cyber Threat Report in July 2015, providing an ‘overarching view of cyber adversaries, what they are seeking and their methods’ for use by both government and industry, and
specialist advice by a joint DIO and ASD team within the Centre to the Government’s national Cyber Security Strategy—‘a comprehensive plan for advancing Australia’s national and economic security through strong cyber security’ released in April 2016.
Human resource management
The Committee requested agencies to provide an update on human resource management, including information on the following issues:
recruitment and retention strategies,
training and development,
Information provided to the Committee regarding each agency’s staffing arrangements was largely classified. Nevertheless, where possible, human resource management issues relating to each agency are discussed below.
As at 30 June 2016, ASIO had 1880 staff (1753.4 full-time equivalent [FTE]), up from 1829 staff (1715 FTE) a year earlier. This included 53 Senior Executive Service (SES) officers, 539 ASIO Executive Officer 1, 2 and 3 officers and 1289 other officers. 841 officers (45 per cent) were women; 106 came from a non-English speaking background; 10 identified as Aboriginal or Torres Strait Islander; and 18 had a disability. Nearly 70 per cent of staff had lengths of service of more than five years, and around 30 per cent more than ten years. 1334 staff (71 per cent) were Canberra-based, and 546 were based in other locations.
ONA had 140 employees at 30 June 2016 (including the Director-General, excluding two locally engaged staff overseas), up from 137 a year earlier. This included seven non-ongoing employees, 16 part-time employees and two overseas-based employees. 129 employees were ‘operative’ and 11 were ‘inoperative’. Approximately 39 per cent of ONA staff were women. 37 per cent of employees were under 40 years old and 11 per cent were over 60 years old.
Staffing demographics information provided by ASIS and the DIAs was given classifications or Dissemination Limiting Markers, and cannot be published in this report. In broad terms, however, ASIS staff levels increased in 2015–16 after a small decrease the previous year. Staffing levels in each of the DIAs were lower at the 30 June 2016 than a year earlier, continuing a trend of recent years.
Recruitment and retention strategies
ASIO prioritised increasing staffing levels during the reporting period, in accordance with the ‘Enhance Security Intelligence Capabilities to Counter the Islamist Terrorism Threat’ funding measure announced in August 2014. ASIO reported that its growth in staffing was in intelligence, technical, and ICT areas, with also some emphasis on building corporate capabilities, such as vetting and recruitment.
ASIO’s recruitment activities focused on its ‘difficult-to-fill’ roles of surveillance officers, intelligence officers, technical officers and ICT positions. ASIO made changes to its recruitment practices during the reporting period to continuously accept applications for intelligence officers (rather than only accepting applications twice per year) and to introduce an intelligence analyst development program stream.
ASIO continued to use the recruitment agency panel reported in last year’s review to broaden capability and capacity, including by providing administrative support for large recruitment campaigns. ASIO also conducted market research to provide insight into graduate employment preferences and feedback on ASIO recruitment material in order to inform future recruitment activities.
ASIO completed 54 recruitment activities in the reporting period (down from 153 the previous year) of which 11 were for technical and ICT job families. ASIO received 12 997 applications in response to advertised recruitment campaigns, with 278 candidates found suitable and either appointed or placed within a merit pool. Over 6500 applications were also submitted to ASIO’s online employment register, with candidates selected from the register for ‘a variety of vacancies’, in particular technical and ICT roles.
ASIO’s expenditure on recruitment advertising decreased from $871 902 in 2014–15 to $791 016 in 2015–16. ASIO attributed this reduction to ‘refining the Organisation’s recruitment advertising and prioritising our attendance at career fairs’. ASIO advised that it had attended nine career fairs and held targeted information sessions for particular disciplines at a number of universities.
Negotiations for ASIO’s 10th Workplace Agreement were concluded during the reporting period and came into effect on 10 March 2016 following a successful vote. The Agreement included changes to the terms and conditions of certain leave types, part-time employment arrangements and redundancy provisions, allowing ASIO to streamline administration and apply further consistency across the Organisation and with the APS.
ASIS continued its three-tier approach to recruiting intelligence officers, graduates and technologists in 2015–16. However, its technologist campaign was targeted to specific roles in line with its workforce planning requirements. ASIS also continued its ‘IQ+EQ=ASIS’ recruitment branding online, but reduced expenditure on traditional major print media, cinemas and digital light boards at major domestic airports.
ASIS conducted a renewed recruitment process for the assessment and selection of intelligence officers in 2015–16, resulting in an ‘increase of quality applicants throughout the process’. In January 2016, ASIS also introduced ongoing recruitment for operational technology officers, resulting in ‘the largest recorded intake of new hires into this specialisation’.
ASIS’s graduate program, titled ACTIVATE, ‘continued to attract a high calibre of candidates across a range of university subject disciplines’.
ONA updated the Committee on the number of new employees in the reporting period, including a number of casual staff. ONA advised that it explored and promoted flexibility within its workforce in accordance with its Diversity Action Plan. It utilised ‘a range of employment options (including the non-ongoing engagement provisions of the PS Act), temporary transfers, secondments, and limited use of fee-for-service contractors’.
ONA submitted that the ‘interesting and challenging’ nature of its work, along with ‘flexible working arrangements and appropriate remuneration’ provided a ‘solid platform to attract staff’. It noted, however, that the lead time to recruit employees requiring a Top Secret Positive Vetting security clearance ‘presents a challenge in terms of dealing with the gap between the cessation of one employee and the replacement starting work’. ONA advised that it aimed to ‘minimise the latency period and manage unplanned departures where possible’.
At a private hearing, ONA summarised its efforts to attract high quality staff to the office, including through its website, participation at university job fairs, graduate programs, informal networks and connections with other agencies.
The ONA Enterprise Agreement 2016–19 came into effect on 4 May 2016, with a nominal expiry date of 3 May 2019. A review of arrangements for SES officers, which ‘largely mirror the conditions established for non-SES staff’, was conducted in parallel with the Enterprise Agreement negotiations. Updated SES Determinations came into force on 4 May 2016.
ONA also submitted that it had enhanced its workforce planning capabilities during 2015–16 with the establishment of a Workforce Planning Committee and had inaugurated an e-Recruit system.
The Department of Defence advised that the DIAs had
reinforced their commitment to pursue innovative recruitment and retention strategies, amid increasing competition for talent. Initiatives to attract and retain skilled ADF and APS personnel include targeted university recruitment, increased flexibility and incentives for high priority technical skills.
ASD reported that it had used a number of strategies to recruit staff in 2015‑16, including generic and specialised recruitment rounds, transfers at level and the Defence-wide graduate program. ASD conducted 122 recruitment rounds and had 57 arrivals in 2015–16, a decrease from 84 arrivals the previous year. 18 per cent of arrivals to ASD in 2015–16 came from other DIAs, 30 per cent from the broader Department of Defence, 16 per cent from the Australian Defence Force and seven per cent from the private sector. 14 per cent of arrivals came from other Government departments (non-AIC) and 11 per cent through graduate programs.
ASD recruited 47 graduates (24 male and 23 female) in 2015–16 through the Defence Graduate Program. ASD advised that, in accordance with new arrangements under the program, ASD graduates complete a 12 month training program funded by Defence People Group, after which they are transferred back to ASD and recorded as a new arrival.
DIO and AGO both reported increases in their recruitment activity during 2015–16 in their classified submissions. AGO noted that its technical engagement with other organisations on research and development projects ‘indirectly assists AGO recruitment by exposing the organisation and some of its activities to a broader range of technical experts’.
The Committee discussed the challenges of recruiting and retaining skilled staff, and the responses to those challenges, with Defence at a private hearing.
The average separation rate across the APS for 2015–16 was 7.1 per cent. Of these separations, 29.1 per cent were attributed to retrenchment, 42 per cent due to resignation, 20.5 per cent due to age retirement and 1.7 per cent due to termination.
ASIO reported a separation rate for 2015–16 of 4.44 per cent (including one voluntary redundancy), a decrease from 4.81 per cent in 2014–15. This consisted of 68 resignations, 10 age retirements and 37 ‘other’ separations.
AGO, ASD, ASIS, DIO and ONA all reported increases in staff turnover.
Defence provided more detailed information on its separation rates and its response to staff turnover challenges in a supplementary submission.
Training and development
All agencies reported on specific training and development activities undertaken during the reporting period, encompassing both corporate and operational activities.
Following a review of its training conducted in 2014–15, ASIO advised that it had ‘continued its training and capability development in line with the principles of a learning organisation and the 70:20:10 principle’. ASIO advised that its continued investment in this area had led to new programs being developed in line with changes in ASIO’s operating, security and technical environments. ASIO ‘broadened and diversified’ its training delivery models to allow staff to access training opportunities using different mediums. ASIO also continued to share training opportunities, facilities, instructors and standards through relationships with national and international partners.
ASIO advised that it had continued to expand its graduate development programs, including
two Intelligence Officer Development Programs completed in the reporting period,
the annual Technical Graduate Program, and
a new Intelligence Analyst Development Program, which includes ‘classroom-based learning and practical exercises, new specialist analytical training, integrated mentoring, and a range of short-term placements across ASIO’s analytical and assessment areas’.
Advanced and specialised intelligence training courses during the reporting period included refresher training for ‘perishable skills’ and new programs to further develop or refine advanced skill sets. These new programs included tailored leadership training for each intelligence discipline, complementing broader management and leadership programs delivered in line with ASIO’s Management and Leadership in Security Intelligence Strategy (2013–16).
In addition to its established programs, ASIO reported that its management and leadership program included a range of alumni and leadership networking events. Investment in SES development included external mentoring partnerships, internal leadership-themed events and targeted individual development opportunities.
During the reporting period, ASIO focused on building on its existing online training platform, known as the eLearning Academy. ASIO submitted that the new program had resulted in all staff members having access to ‘a range of training opportunities, including more advanced or specialised modules based on specific role requirements’. ASIO also built on its existing mandatory eLearning modules including two additional information technology modules and some in support of ASIO’s safety and security training program.
Overall, ASIO reported that there were 4728 instances of face-to-face training in the Organisation, attended by 1643 employees across 120 training courses. Additionally, there were 2498 mandatory and 1760 non‑mandatory completions of eLearning Academy courses.
ASIO also reported that over 10 per cent of its staff received support for study or language development during 2015–16. This included a total of 117 officers participating in 79 ASIO-supported study programs across a range of disciplines, at a cost of $301 635.
ASIS and ONA
Information provided by ASIS and ONA on their training programs was classified or given Dissemination Limiting Markers and could not be included in this report.
All Defence APS and ADF staff members are required to undertake and maintain proficiency in four mandatory training courses: Work Health and Safety Awareness; Workplace Behaviour; Fraud and Ethics Awareness; and Security Awareness. Defence APS staff are also required to undertake a Defence Enterprise Collective Agreement training course for either supervisors or employees. The DIAs each reported on the percentage of their staff attending the mandatory courses. Similarly to previous years, the figures indicated that a significant majority, but not all, staff in each agency had completed the mandatory training. Results varied between the agencies.
ASD noted that all new employees attend a ‘Day One Security Brief’ and an ‘Introduction to Defence Intelligence Security’ within their first four weeks. DIA staff members were also required to complete a ‘Security Refresher’ e‑learning course each year.
ASD reported that, during 2015–16, it had ‘continued to review and redevelop its compliance training suite to improve and maintain its relevance for ASD staff’. As at 30 June 2016, there were 2141 successful and current completions of ASD compliance training courses. Oversight and compliance courses conducted in 2015–16 included:
an online introductory course for new starters,
a mandatory classroom-based course, designed to give ASD staff general compliance knowledge, not specific to mission area,
mandatory classroom-based courses, designed to give ADF units engaged in signals intelligence activities general compliance knowledge, with examples specific to their units’ activities,
tailored, practical, example-based training addressing specific aspects of compliance most relevant to mission areas,
annual refresher training, and
online training aids and information packages.
ASD continued its Women’s Leadership Program, which ‘supports the presence of women in leadership roles and aids them in stepping up into leadership positions’. In 2015–16, 92 ASD employees attended across ten programs offered.
Further information provided by the DIAs on their training programs was classified or given Dissemination Limiting Markers and could not be included in this report.
Individual performance management
All agencies reported on their arrangements for managing the performance of their employees.
ASIO reported that it had conducted a review of all aspects of its performance management framework during the reporting period. The review resulted in ASIO:
introducing a standard annual salary advancement date for all employees, with stronger links to performance outcomes,
developing further training for line managers in managing unsatisfactory performance or behaviour, and
developing a broad suite of policy and process documents to support all areas of the performance management cycle.
ASIO reported that 98 per cent of its staff had completed their performance obligations, with the remaining two per cent comprising employees who were either on extended periods of leave, were ineligible due to extended periods of leave taken, or separated from the organisation prior to their review being finalised. No ASIO employees were required to participate in formal underperformance management processes in 2015–16 (consistent with the previous year).
ASIO completed two formal misconduct investigations in 2015–16 (down from three in 2014–15), within which the specific elements investigated included:
contravened or failed to comply with a term or condition of employment, including the ASIO Values or Code of Conduct (two breaches),
been inefficient or lacks diligence in the performance of his or her duties (one breach),
been negligent or careless in the performance of his or her duties (one breach),
engaged in dishonest or misleading behaviour (one breach),
engaged in conduct that adversely affects the performance of his or her duties or has the potential to bring the Organisation into disrepute (two breaches).
ASIS’s Performance Management and Development Program requires staff and supervisors to develop annual performance agreements with mid-year and annual reviews. In 2015–16, ASIS prioritised development of a newly enhanced e-performance tool to ‘provide managers with a more comprehensive tool to facilitate robust discussions’. ASIS noted it was also developing a new underpinning performance framework to ‘reflect the capabilities and behaviours expected from officers’.
In response to questions at a private hearing, ASIS provided information on updates to its Code of Conduct and mechanisms available to staff to identify conflicts of interest, make complaints or raise ethical concerns.
ONA’s mandatory performance development framework requires employees to meet regularly with their managers to ‘discuss, set, document and review work priorities and development expectations’. Pay-point advancement is available to eligible non-SES staff at the end of each financial year. ONA does not provide performance bonuses to staff.
ONA noted several individuals and teams who had high performance formally acknowledged through AIC and Australia Day awards programs.
ONA reported one investigation into an alleged breach of the APS Code of Conduct that was initiated by a staff complaint. It was determined that no breach had occurred.
ASD advised that the performance of its APS employees was formally assessed twice a year as part of the Defence Performance Feedback Assessment and Development Scheme process, which is linked to performance progression payments. ASD reported that 93 per cent of its APS employees had their performance progression approved in the reporting period. Of the employees denied progression, six were due to failing to complete mandatory training. The remaining employees were ineligible for progression due to a range of reasons, including that they were on probation, were on leave, or were new starters, trainees or recently promoted. The other DIAs reported similar proportions of employees being denied progression.
Agencies provided information on the diversity of their workforces. Where possible, this information has been included in the ‘staffing demographics’ section above.
As with previous years, gender diversity was given particular focus. In June 2016, 59.0 per cent of employees of the total APS were women. The proportion of women to men in the AIC, however, continued to be significantly lower. Agencies reporting on a range of initiatives to address gender equality in the AIC.
As noted earlier, women comprised approximately 45 per cent of ASIO’s workforce on 30 June 2016, an increase from 44 per cent the previous year. The gender gap continued to be most pronounced at senior levels, consistent with patterns in the broader APS. However, there were some signs of improvement in the statistics, with 19 out of 53 (or 36 per cent) of ASIO’s SES managers being women, up from 33 per cent the previous year and 25 per cent the year before. Around 52 per cent of grade 1 to 6 ASIO officers and 16 per cent of Information Technology Officers and Engineers were women, both up slightly on the previous year. However, only 36 per cent of ASIO ‘Senior Officers’ (equivalent to Executive Level 1 and 2) were women, down slightly from the previous two years.
ASIO reported that it had launched a Gender Equity Strategy on 8 March 2016, with a dedicated senior officer appointed to lead the implementation of the strategy and to scope a broader diversity and inclusion program. The Organisation’s Gender Equity Reference Group was ‘critical to informing an action plan and ensuring staff engagement’. The Director-General continued to regularly address diversity matters in his communication to staff, and ASIO staff heard from other leaders on the topic of gender equity, including through the hosting of an AIC diversity event. ASIO also contributed to cross-AIC initiatives to promote gender equality, including through the AIC Gender Equity Steering Committee.
At the end of 2015‑16, approximately 44 per cent of ASIS staff were female, steady on the previous year’s figure. ASIS noted that it had introduced unconscious bias training for Senior Executives and Executive Level 2 officers to ‘improve their understanding of unconscious bias and how it can influence decisions in the workplace’. ASIS’s existing ‘Women in ASIS Committee’ was broadened to the ‘Diversity in ASIS Committee’ in June 2016, co-chaired by Senior Executives. The Committee includes employee representatives from across the Service to oversee equity and diversity matters and workplace programs. The establishment of gender targets and the introduction of an Executive Level 1 mentoring program were two initiatives approved for implementation in 2015–16. The Committee hosted events including International Women’s Day and facilitated a number of speaker events.
ASIS reported that it had continued to collaborate with other AIC agencies on gender-related issues and sought to build ‘a culture where discussion of gender issues is part of a strengthened and reinvigorated ASIS culture of equity, fairness and transparency for all members of the Service’.
As noted earlier, approximately 39 per cent of ONA staff members were women—a slight decrease from the previous reporting period. However, ONA reported that it had made ‘significant progress on gender and diversity initiatives’. This included updating and releasing its Diversity Action Plan 2015–18 to ensure consistency with the APS Gender Equality Strategy, and appointing a dedicated Diversity Officer in April 2016 to drive and coordinate actions articulated in the Plan. Progress made to June 2016 included:
establishing a regular Diversity Working Group chaired by the Director-General,
establishing a Gender and Diversity portal on the ONA intranet to communicate diversity matters and report on the Diversity Action Plan,
reporting progress on Diversity Key Performance Indicators in ONA’s 2015–16 Annual Report,
unconscious knowledge and bias training accessed by all staff and offered every six months for new staff,
ongoing audit of selection reports to ensure recruitment gender equity and to educate panel chairs on potential unconscious bias,
development of an information sheet on access to flexible and/or part time work for all staff, and
ongoing evaluation of data.
Other work in progress supporting ONA’s Diversity Action Plan included:
development and finalisation of guidelines for the use of Aboriginal and Torres Strait Islander flags,
drafting of a Reconciliation Action Plan,
consultation and collaboration regarding options for recruitment of Indigenous workers, and
consultation with the Australian Network on Disability to ensure accessibility requirements are met for ONA’s 4 National Circuit office.
The total proportion of female staff members amongst the DIAs remained low compared to other AIC agencies and the broader APS. ASD reported that 33 per cent of its staff members were women as at 30 June 2016, consistent with the previous year. At AGO, women accounted for 29 per cent of the overall workforce in 2015‑16, up by one per cent on the previous year. AGO reported that 73 per cent of its new arrivals in 2015‑16 were female. Women comprised 43 per cent of DIO’s APS employees in 2015–16 (steady on 2014–15). Females continued to be most underrepresented at DIO’s senior levels, although representation had increased over the past two years.
ASIO reported that it developed a new internal language program in 2015‑16 to enhance the capacity for staff to build language skills. It spent $370 281 during the year on language training for 69 employees across 21 languages (compared to $432 335 on language training in 2014–15 for 46 employees across 15 languages). ASIO provided more information on its language training and linguistic capabilities at a private hearing.
ASD reported that 117 of its staff members received a Language Proficiency Allowance for between one and four languages to assist them to achieve and maintain their proficiency.
Further information in relation to language skills and the use of proficiency allowances cannot be published due to classifications or Dissemination Limiting Markers.
Staff feedback and complaints
The ASIO Ombudsman is ‘an external service provider who acts to resolve staff issues or concerns impartially and informally, through advice, consultation and mediation’. ASIO reported that, during the reporting period, the ASIO Ombudsman provided advice and guidance in response to 20 informal contacts from staff; provided assistance to an inquiry from the IGIS relating to a previous employee; and undertook formal consideration of conditions-of-service matters and provided advice to staff and management. The ASIO Ombudsman also provided formal advice based on investigations into eight matters, of which four were relevant to the Code of Conduct, two related to organisational restructure conditions, and two were independent reviews of management actions. The ASIO Ombudsman was directly involved with ASIO’s Harassment and Discrimination Advisor Network, and ‘actively promoted the role of the Ombudsman and the importance of the ASIO Values and Code of Conduct in establishing a proper and respectful workplace culture, in a wide range of presentations, branch meetings, induction programs and management training sessions’.
ASIO advised that it did not receive any public interest disclosures during 2015–16.
ASIS has an internal Ombudsman with a role similar to the ASIO Ombudsman. This includes:
informally advising and counselling to ASIS staff at all levels about any employment concerns, and
convening formal investigations into staff grievances and reporting findings and recommendations to the Director-General.
The ASIS Ombudsman undertook two formal investigations during the reporting period.
ASIS also has staff grievance procedures in place in accordance with section 37 of the IS Act. The procedures focus on attempting informal resolution where possible, with more formal processes available where a successful outcome cannot be reached. ASIS noted that the Office of the IGIS is also able to review the handling of grievance matters.
ONA reported that it had received one formal complaint during the reporting period that was handled through the Code of Conduct procedures (as noted above). A large majority of ONA staff participated in the APS Employee Census in June 2016, with results that ‘again compared favourably to the wider APS and our cohort of specialist APS agencies’.
All complaints of unacceptable behaviour involving Defence personnel or contract staff are required to be recorded in the ‘Com Track’ database by the complainant’s manager. Agency heads are provided with reports from Com Track to ‘allow them to monitor unacceptable behaviour within their agency’, while responsibility for resolving the complaint remains with the complainant’s manager or supervisor.
ASD had six recorded complaints of unacceptable behaviour during
2015–16 (down from ten in 2014–15). ASD reported that three of these complaints were unsubstantiated, two were substantiated with an informal resolution, and one complaint was withdrawn.
ASD also reported that:
two ‘Review of Action’ applications were made by ASD employees, one of which was ‘not a reviewable decision’ and the other of which a primary review was still pending, and
no cases had been lodged with the Fair Work Commission in 2015–16.
Complaints to the Inspector-General of Intelligence and Security
Under the Inspector-General of Intelligence and Security Act 1986, the IGIS may receive and inquire into complaints in respect of actions taken by intelligence agencies, including in relation to disclosures under the Public Interest Disclosure Act 2013 (PID Act). Complaints are received from members of the public as well as current and former Commonwealth officials.
The IGIS received a total of 147 complaints in 2015–16, of which 25 were non-visa related and four were public interest disclosures. Of the non-visa related complaints, nineteen were about ASIO, four related to ASIS, one to ASD and one to DIO. These complaints covered a range of matters, including allegations or concerns about:
the execution, or legal basis, of search warrants and related interactions with ASIO,
failure to provide a duty of care to an individual who previously assisted ASIO,
discrimination and harassment based on race,
inappropriate access to information,
security assessments for passports and employment, and
delays in Aviation Security Identification Card and Maritime Security Identification Card security checks.
The IGIS noted that while the majority of complaints were resolved without identifying significant issues, there ‘were a number which raised credible concerns which were also able to be resolved’.
Four disclosures were also made to the IGIS in 2015–16 under the PID Act:
A disclosure by an anonymous complainant who alleged that members of a small work unit in an AIC agency were secretly monitoring the internal communications of their workplace colleagues and using information accessed as a source of gossip and potential influence. Following investigation, a number of forensic technical checks were undertaken to identify any inappropriate conduct or unusual patterns. None were found.
A complaint by a serving AIC officer who had been suspended on full pay pending the formal withdrawal of the officer’s security clearance and the termination of their employment. After reviewing relevant material, the IGIS identified no procedural flaws and decided that the decision of the agency head to withdraw the discloser’s security clearance was not unreasonable in the circumstances.
Claims by a former AIC agency employee that he should not have been permitted to attend specialist training in sensitive techniques relevant to his then employment, if he was already the subject of a ‘review for cause’ security investigation into his continued suitability to hold a security clearance. Following investigation, the IGIS was satisfied that the complainant was not actually the subject of a formal ‘review for cause’ process prior to commencing the training. The IGIS found that
while security related concerns had been raised about the complainant in the preceding weeks, the agency had sought to find a reasonable balance between maintaining appropriate and necessary security standards and treating the complainant in a fair and reasonable manner.
A disclosure from a former AIC agency officer who raised concerns about the manner in which a code of conduct investigation was carried out; alleged workplace bullying and harassment; and whether the agency concerned had inappropriately communicated personal information about the discloser to AIC and other agencies with a view to exclusion from future employment. The IGIS found no evidence to support the claims.
The inspection and inquiry-related activities of the IGIS during the reporting period are summarised later in this chapter.
ONA provided an outline of its energy efficiency measures at its main building, the Robert Marsden Hope Building, which has been leased from the Industry Superannuation Property Trust since October 2011. ONA submitted that ‘in terms of energy efficiency, the new building has elevated ONA from one of the worst performers in the Commonwealth to a point well above the Commonwealth average’. Energy efficiency features include continuous recording and monitoring of energy consumption; energy efficient lighting systems; double glazed windows; and automatically controlled, high efficiency heating and air conditioning services.
ASD also provided information on the infrastructure upgrade project for its R5 and R6 buildings in Russell, ACT. In response to questions from the Committee, Defence outlined the four broad functional requirements that the upgrade would address—power (electrical), security, cooling (mechanical) and safety (fire)—and assured the Committee that the upgrade would not require staff relocations and would not impact on ASD operations.
At a private hearing, Defence provided the Committee with details about a recent occasion in which an ASD facility was transitioned onto backup diesel generators for ‘load shedding’ purposes during an extreme weather event.
ASD noted that the Cyber Security Strategy, released in April 2016, announced a relocation and expansion of the Australian Cyber Security Centre (ACSC). The project was approved by the National Security Committee on 5 April 2016 with a budget of $38.78 million. The new site was proposed to be at the Brindabella Business Park in Canberra. Initial Operating Capability was to be delivered by 30 June 2017 and Full Operating Capability by December 2017. In response to questions from the Committee, Defence outlined the reasons for the decision to relocate the Centre and updated the Committee on its timeframe. Following Parliament’s approval of the works on 30 March 2017, ACSC was expected to be relocated in the second half of 2017.
ASIO reported that it was still considering how it would use the additional space in the Ben Chifley Building following the ACSC’s departure.
ASIS provided classified evidence about its accommodation-related activities through its submission and during a private hearing. Dissemination limited evidence was also received from AGO and DIO.
Security functions within the AIC agencies encompass physical, technical, administrative, ICT, and personnel security.
The Committee’s review of security matters included security policies and procedures, security training, security breaches, e-security arrangements, and security clearances.
Much of the evidence on security matters was classified. However, the Committee notes that throughout 2015–16, safeguarding initiatives, and security enhancements and improvements continued to be implemented across the AIC. Several agencies highlighted their robust and effective security arrangements, strong security cultures and their compliance with the Australian Government’s Protective Security Policy Framework.
Activities undertaken by agencies during 2015–16 included:
upgrading facilities and systems,
physical and technical security audits,
reviews of internal security policies, procedures and risk management frameworks,
enhanced staff awareness and security training,
the development of continuous assessment approaches to personnel security,
security briefings for other government agencies, and
inter-agency forums on security best practice.
Security policies and awareness
ASIO’s security governance is overseen by a Security Committee, which is comprised of senior executives and chaired by a Deputy Director-General. The Committee reports to ASIO’s Executive Board and ‘ensures ASIO’s security policies and practices comply with the Australian Government’s Protective Security Policy Framework, and that the Organisation has appropriate protective security measures in place commensurate with its specific security environment’.
ASIO described in its submission an increased level of threat to the personal safety of its staff as a result of the changes to the security environment:
Recent low-capability, lone actor terrorist attacks around the world—including attacks against police here in Australia—demonstrate the real danger to staff. ASIO officers are operating in an environment that puts their personal safety at risk from spontaneous or opportunistic attack using readily acquired weapons and relatively simple tactics. Reporting of suspicious activities and behaviours in and around ASIO premises has risen. To address the threat, ASIO’s protective security measures have increased commensurate with the level of risk.
ASIO advised that it had implemented the following ‘layered’ security and safety measures:
developing and operating new staff-tracking and duress alert technologies to support employees working operationally,
introducing a range of enhanced security measures for ASIO premises, including overt physical security measures and the patrolling of ASIO’s headquarters by armed AFP officers, and
introducing a suite of enhanced personal safety and security training courses to equip employees to operate in a more hostile environment.
In relation to defences against the ‘malicious insider’ threat, ASIO reported that it had focused on the following four areas:
translating investigative, analytical and personnel security assessment experience into policy initiatives through participation in the Attorney-General’s Department-led Personnel Security Strategic Reforms Taskforce,
disseminating threat advice to government and security vetting officers,
providing threat briefings to government agencies, and
outreach activities to industry and government through the ASIO Business Liaison Unit and Contact Reporting Scheme.
In relation to electronic security, ASIO noted that it continually worked to manage and mitigate identified security risks to its information, and ICT systems. All activities on ASIO systems were audited.
ASIO reported that its security awareness training courses were delivered frequently through the year and across Australia. It added that elements of its courses had been extended to ‘close partner agencies that operate in a similar environment and have similar staff development requirements’. Close partner agencies had also adopted elements into their own internal programs.
In supplementary evidence to the review, ASIO outlined measures it had taken to strengthen its ICT systems to guard against both trusted insider threats and external threats.
As noted earlier, all APS and ADF staff of the DIAs are required to undertake and maintain proficiency in a security awareness or refresher training course each year.
The DIAs reported that Defence Intelligence Security (DIS), which manages personnel and physical security for each agency, ‘invests heavily in external liaison and security briefings to assist customers in developing and implementing tailored mitigation strategies to reduce the likelihood of security incidents’. Mitigation strategies for the protection of sensitive compartmented information outside the DIAs included:
providing mandatory security training for all staff who work in an area that discusses, processes, stores or uses sensitive compartmented information, including ADF personnel, APS staff, contractors, foreign liaison staff, ‘integrees’, and other external staff lodging within the DIAs,
providing security incident response and support, to ensure that clean-ups are conducted thoroughly, to mitigate against further spread, and to help identify any additional mitigation strategies that may be required,
providing sanitisation support for ICT systems to ensure classified information is promptly removed from systems affected by data spills,
managing the disposal of contaminated systems at ‘end of life’,
reviewing and strengthening standard operating procedures for handling sensitive material,
conducting Communications Intelligence Security Officer (COMSO) courses, through which DIS trains selected personnel to ensure that ‘codeword’ material within their unit, department or agency is managed appropriately,
maintaining a COMSO Liaison Program: a visit and contact program to improve the management of classified material, which assists in identifying vulnerabilities and shortfalls in classified handling practices in customer agencies,
providing COMSOs with support packs containing procedural guidelines, training modules, templates and promotional material,
providing operational security advice and training to Liaison Officers in customer agencies and deployed locations to enable them to train customers in protective security practices,
providing counselling and security education for personnel responsible for sensitive compartmented information related security incidents, and
conducting proactive and reactive protective briefings to ensure staff are aware of sensitivities and handling procedures if exposed to compartmented information.
At a private hearing, ASD also updated the Committee on security measures that have been implemented to safeguard classified information against threats from ‘malicious insiders’.
Agencies reported to the Committee on the number and nature of security breaches reported during 2015–16, including any action taken as a result of the breach(es). Agencies also reported on internal and external risk mitigation strategies employed to protect information of national security significance. While the Committee cannot report any details concerning security breaches, the Committee notes that none of the breaches were identified as having resulted in a loss or compromise of national security classified material.
ASIS reported that it had a 19 per cent reduction in security breaches in 2015–16 compared to the previous year. This reduction was attributed to a revised policy issued in early 2014 regarding the penalties for security breaches and increased communication on protective security requirements. In response to questions from the Committee at a hearing, ASIS provided a breakdown of the types of breaches and their level of seriousness. It noted that the reduction in breaches had in part resulted from changes to security breach definitions due to a changed assessment of risk levels. Of 22 categories of security breach identified, only one had seen an increase in the number of breaches compared to the previous year.
Personnel across the AIC are required to secure and maintain an appropriate security clearance to perform their roles.
As part of its review, the Committee sought evidence from agencies about current procedures, timelines, delays and any associated outsourcing arrangements. Agencies reported on these matters in their submissions and in classified evidence to the Committee.
Timeframes to obtain a Positive Vetting clearance through the Australian Government Security Vetting Agency (AGSVA), which applies to the three DIAs and most other government agencies, again increased substantially during the reporting period. The DIA’s reported that the six month benchmark timeframe for Positive Vetting clearances was only met in a small minority of cases. At a private hearing, the IGIS noted the impact of extended wait times for clearances on her office’s recruitment activity.
In last year’s review, the Committee referred to a June 2015 performance audit report by the Australian National Audit Office (ANAO) titled Central Administration of Security Vetting, which noted steadily rising average processing times for Positive Vetting clearances since AGSVA’s initial establishment in 2010. The Committee received a briefing on the report from the ANAO in September 2015.
At its private hearing in March 2017, the Committee sought information from the Department of Defence about the reasons for the ‘backlog’ of clearances and work underway towards remediating the problem. Defence explained that it had made a number of policy changes, resourcing changes and prioritisation changes since 2016 in response to the problem. It advised that ‘tremendous progress’ had been made in the last 18 months, and, while there was still a backlog for Positive Vetting clearances, for the first time since AGSVA’s establishment it was working with average processing times below benchmark for all other levels of clearance. These efforts had resulted in average processing times for Positive Vetting clearances ‘tracking down’, although a return to benchmark clearance timeframes was not expected to be achieved until the end of 2017–18.
ASIO, which conducts its own security vetting, reported that the pressure on its initial and ongoing vetting had continued through the reporting period. ASIO noted that its vetting resources had been ‘bolstered in the previous reporting periods in response to existing pressures and to support additional recruitment associated with supporting the government’s response to the increased terrorism threat’. ASIO also updated the Committee on some changes to the vetting process and of the continued review of processes to ensure efficiencies. ASIO provided further information about its clearance processes and success rates at a private hearing.
ASIS and ONA, which like ASIO undertake their own security vetting, similarly noted changes to policies and procedures during the reporting period and the impact on clearance timeframes.
Some agencies referred to their involvement with the Inter Agency Security Forum and the Protective Security Policy Committee on security policy for clearance subjects. Agencies also referred to ongoing development of a continuous assessment model for security clearances.
Oversight, accountability and performance evaluation
The Committee requested that agency submissions address performance management and accountability, including any outcomes relevant to administration and expenditure for the reporting period.
There are a number of internal and external oversight and accountability mechanisms in place for each of the intelligence agencies to provide assurance to the Australian public of the legality and propriety of their activities. These mechanisms include:
Ministerial and Parliamentary accountability,
for ASIO, the Independent Reviewer of Adverse Security Assessments.
Agencies also regularly undertake, or are subject to, formal evaluations of their performance.
ONA undertakes performance evaluations of the AIC collection agencies’ foreign intelligence collection activities (ASD, AGO, ASIS and ONA’s Open Source Centre). It also provides advice to government on the adequacy of Australia’s foreign intelligence resources. ONA’s evaluations are provided in an annual memorandum to the National Security Committee of Cabinet.
ONA noted that its own overall performance is evaluated on an annual basis by the Department of Prime Minister and Cabinet (PM&C), with outcomes and suggestions for change reported to government. ONA also conducts Key Judgements Reviews as an internal quality assurance tool.
ASIO conducts a survey of key stakeholders in the Australian Government and states and territories each year. The survey seeks to ‘capture feedback on the quality of ASIO’s advice, the effectiveness of the Organisation’s capabilities and people, and the value added through cooperation and collaboration’. ASIO reported good results from its stakeholder survey in its submission.
ASIS similarly measures overall achievement against its performance measures through continuous feedback from customers, as well as through ‘comprehensive annual internal and external assessment’.
Apart from its reviews by the IGIS (discussed below), DIO reported that it was not subject to any external reviews during 2015–16 and undertook no internal reviews.
Inspector-General of Intelligence and Security
The IGIS is an independent statutory office holder with responsibility for reviewing the activities of the AIC agencies. The IGIS’s purpose is
to ensure that each intelligence agency acts legally and with propriety, complies with ministerial guidelines and directives, and acts consistently with human rights.
The IGIS may also, at the request of the Prime Minister, inquire into an intelligence or security matter relating to any Commonwealth agency.
Dr Vivienne Thom concluded her term as IGIS in July 2015. The Hon Margaret Stone was appointed IGIS for a five year term on 24 August 2015.
The Committee sought a submission from the IGIS on any issues of administration and expenditure arising during IGIS’s inspection and inquiry activities. The IGIS appeared at a private hearing, during which the Committee sought additional information on inquiries and other inspections conducted during the reporting period.
Agencies also informed the Committee about their interaction with the IGIS and her office throughout the reporting period.
The Office of the IGIS was exempted from the efficiency dividend in 2015‑16 and has had its budget increased in recent years in light of expanded oversight responsibilities flowing from legislative changes.
The Office of the IGIS’s budget increased to $3.05 million for 2015–16, up from $2.2 million in 2014–15. However, as at 30 June 2016, the IGIS was supported by 14 staff members (a number of whom were part time), down from 16 staff members a year earlier. The IGIS explained:
The exemption and extra funding allowed for the recruitment of additional staff to help the office continue its comprehensive and effective oversight program. Despite a range of recruitment and selection processes during the reporting period, staff turnover and lengthy security clearance processes before new staff can be appointed have challenged our attempts to increase staffing levels. On the positive side, we do now have a dedicated corporate officer to undertake tasks such as finance and human resource management, and this has relieved investigative staff of these duties. New recruitment processes are also ongoing.
Following questions from the Committee at a private hearing, the IGIS provided supplementary evidence covering:
the percentage of ASIO warrants for special powers inspected by the IGIS, for both counter-terrorism or CEI purposes, and the adequacy of those percentages,
the number of full-time equivalent staff employed by the IGIS and the number employed by the six AIC agencies being oversighted,
the new inquiries commenced by the IGIS since 1 July 2016,
agency compliance matters,
quantitative analysis of the IGIS’s inspection activities across the agencies.
The IGIS noted that she was comfortable that her office targeted inspections appropriately within the office’s existing resources, and was confident that the ‘key areas’ for all agencies were looked at. However, she also noted that ‘if we had more, we would do more’. Specifically, the IGIS noted limitations in the resourcing of her office to be able to inspect the activities of agencies outside Australia.
The budget for the Office of the IGIS for 2016–17 was $3.118 million.
The IGIS finalised an inquiry into certain actions of ASD early in the reporting period. The IGIS’s report included four classified recommendations, but did not find any failure of ASD to comply with the law, nor did it reveal any systemic failures of governance or improper activity. ASD responded to the report in October 2015 and ‘accepted the principles underlying the recommendations’. The IGIS ‘was satisfied that ASD has appropriate ongoing arrangements in place in relation to the subject of the inquiry and was responsive to the recommendations’. Routine reporting arrangements between ASD and the office of the IGIS were revised to ‘ensure appropriate levels of ongoing oversight in relation to the subject of the inquiry’.
The IGIS did not commence any new inquiries in 2015–16. This was
mainly due to there being no major issue of concern arising during the period, a decision to prioritise the inspection of new functions carried out by agencies as a result of legislative change, there being no referrals received from a responsible minister and no substantiated complaint of sufficient complexity or seriousness to warrant an inquiry.
In supplementary evidence provided to the Committee, the IGIS outlined a number of new inquiries that had commenced since the end of the reporting period. These inquiries will be noted in next year’s review.
The office of the IGIS continued its program of regular inspections of agency records to ensure that agency activities complied with relevant legislative and policy frameworks. The IGIS found that:
Overall the level of compliance in each of the intelligence agencies continued to be very high. While IGIS inspections and projects identified some issues and some others were self-reported by the agencies, these need to be understood in the context of the large and complex operational activities of the intelligence agencies.
The IGIS’s unclassified submission contained an overview of the IGIS’s inspection program for 2015–16, highlighting relevant issues for the Committee. More detailed information is also available in the IGIS’s annual report.
The IGIS reported that particular focus continued to be given to inspection of the agencies’ use of new and amended powers, such as special intelligence operations, identified person warrants and emergency authorisations. The IGIS noted:
While the majority of inspections found no issues of concern, when issues were found they resulted in further scrutiny and we observed changes to agency practices in order to prevent reoccurrence.
The IGIS submitted that, as with previous years, inspection activities were given priority on a risk management approach, within the resources available to the office.
A number of compliance matters that were identified in the IGIS’s inspection program were discussed in more detail with the Committee during a private hearing.
Independent Reviewer of Adverse Security Assessments
ASIO furnishes security assessments to Commonwealth agencies in accordance with the ASIO Act. A security assessment may be adverse, qualified or non-prejudicial.
The role of the Independent Reviewer of Adverse Security Assessments (the Independent Reviewer) is to:
Review ASIO adverse security assessments (ASAs) given to the Department of Immigration and Border Protection in relation to people who remain in immigration detention and have been found to:
engage Australia’s protection obligations under international law, and
not be eligible for a permanent protection visa, or who have had their permanent protection visa cancelled.
Mr Robert Cornall AO was appointed as the Independent Reviewer on 3 September 2015, replacing the Hon Margaret Stone.
The Independent Reviewer examines all material relied on by ASIO in making a security assessment, as well as other relevant material, and forms an opinion as to whether the assessment is an appropriate outcome. The Reviewer provides recommendations to the Director-General of Security, who must respond to the Reviewer and may determine whether to take action if he agrees with the Reviewer’s opinion.
ASIO advised that during the reporting period:
ten adverse security assessments were reviewed,
there was no difference of opinion between the Independent Reviewer and the Director-General as to the appropriate outcome in any of those cases, and
four cases remained before the Independent Reviewer.
Following a private hearing, ASIO updated the Committee on the small number of individuals with adverse security assessments who remained within the caseload of the Independent Reviewer.
Independent National Security Legislation Monitor
The Independent National Security Legislation Monitor (INSLM) is appointed under the Independent National Security Legislation Monitor Act 2010 on a part time basis for a term of up to three years. The INSLM’s role is to
review the operation, effectiveness and implications of Australia’s counter-terrorism and national security legislation on an ongoing basis. This includes considering whether legislation contains appropriate safeguards for protecting the rights of individuals, remains proportionate to any threat of terrorism or threat to national security or both, and remains necessary.
The Hon Roger Gyles AO QC was initially appointed on an acting basis on 7 December 2014 and, following his substantive appointment as INSLM on 20 August 2015, remained in the role for the remainder of the reporting period.
The INSLM tabled five reports during 2015–16:
Independent National Security Legislation Monitor Annual Report 2015 – 7 December 2015
Control Order Safeguards – Part 1 – 29 January 2016
Section 35P of the ASIO Act – 2 February 2016
Control Order Safeguards – Part 2 – 20 April 2016
Certain Matters Regarding the Impact of Amendments to the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014 – 2 May 2016.
ASIO noted that, during 2015–16, it had made submissions to the INSLM’s inquiries into section 35P of the ASIO Act and certain questioning and detention powers in relation to terrorism (tabled outside the reporting period). ASIO also attended public and private hearings in relation to these matters.
The Committee requested agencies to address public relations and/or public reporting in their submissions, including requests for public access to records.
ASIO submitted that its publicly identified Director-General and Deputy Directors-General undertake public outreach through media responses, public speeches, appearances at parliamentary hearings and select public seminar or conferences. The media is able to contact ASIO directly through a publicly listed media contact number and email address.
ASIO also has a Business Liaison Unit (BLU), which provides an ‘interface’ between the AIC and the private sector. The BLU hosts a secure website, with 3612 subscribers, where ‘intelligence-backed’, declassified reports are published. ASIO reported that the BLU website had been upgraded in June 2016 to improve user experience and search functionality.
The BLU also hosted five classified briefing days for high-threat sectors (such as aviation, communication and places of mass gathering) in 2015‑16, provided ‘hundreds’ of tailored briefings to corporate security managers, and provided ‘dozens’ of executive-level briefings. The BLU’s advice was intended to ensure owners and operators of critical infrastructure and other high threat sectors ‘have the necessary security information regardless of their clearance level’.
ASIO coordinated its cyber outreach activities through its membership of the ACSC, a ‘hub for collaboration and information sharing with the private sector, state and territory governments, academia and international partners’. ASIO also continued to provide advice to the telecommunications industry on national security threats and ‘worked closely with key partners to mitigate risks of unauthorised access or interference to their networks and data holdings’.
ONA reported that its relationship with the general public extended to promulgation of information on its unclassified website. The number of visitors to the website was down slightly in 2015–16 (following a large increase in 2014–15). In August 2015, ONA moved its website to the new ‘GovCMS’ platform, hosted by the Department of Finance. ONA also contributed to a number of publications and responded to Senate Orders and parliamentary questions.
In 2015–16, ASD contributed to 22 media queries coordinated through the Department of Defence’s Ministerial and Executive Coordination and Communication Division. These queries ‘primarily related to information and cyber security, offensive cyber capabilities and Joint Defence Facility Pine Gap’. The ACSC separately responded to 22 media queries, the majority of which related to details about the 2015 Threat Report, cyber security incidents, ASD’s certified cloud services list and the Information Security Manual.
ASD participated in a number of public cyber security forums, workshops and presentations, and released a number of publications relating to ICT security. ASD also promoted greater cyber security awareness through engagement with New South Wales, South Australia, Tasmania, Queensland, Western Australian and Northern Territory government agencies.
ASD again led the coordination and hosting of the ACSC Conference in 2016, describing the event as
an overwhelming success exceeding expectations by attracting over 1000 delegates from Australia and internationally with 30 sponsors and 66 exhibitors, making it the equal largest attended cyber security themed conference in Australia.
DIO reported that it did not promulgate any media releases or publish any unclassified articles during the reporting period, nor did it undertake any public engagements or media liaison.
AGO reported that it had given three public presentations during the reporting period. It also continued to ‘draw from, and contribute to’, external research and development projects, primarily through the Australian Cooperative Research Centres for Spatial Information and Data 2 Decisions. AGO also collaborated with Geoscience Australia on projects with common technical interest, and is ‘investigating opportunities with Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Australian National University (ANU) supercomputer national computing infrastructure’.
ASIS does not have a formal public relations function due to the classified nature of its work and an ongoing policy of referring enquiries about the Service’s operations to the Minister for Foreign Affair’s Office. However, ASIS does engage with AIC and other government agencies to maximise the effectiveness of its material.
Requests for access to public records
Agencies continued to cooperate with requests for public access to agency records, balancing the right to access public records with the need to protect certain information from disclosure.
Requests for access to ASIO records decreased in 2015–16, with 473 applications for record access made (down from 790 in 2014–15) and 650 requests completed (down from 811 in 2014–15). ASIO noted, however, that although the number of requests completed had declined, the number of pages examined had increased.
ASIO also noted there were four applications by persons dissatisfied with a decision by ASIO to exempt a record for release. The National Archives of Australia upheld the exemptions in each case. There was also one new appeal to the AAT, which remained ongoing at the time of the submission.
Other agencies also responded to public access requests. ASD received requests for 32 records, of which 16 were completed in 2015‑16 and seven in early 2016‑17. ASD also finalised the three outstanding requests from 2014‑15, which were released with redactions. The DIO Public Access Team received 105 referrals to examine classified information during 2015‑16 and processed and completed 85 cases, ‘despite reduced staffing levels across all elements that support public access’. AGO received two requests under the Archives Act 1983.
DIO noted that as part of official history projects on Australian peacekeeping operations, operations in Iraq, Afghanistan and East Timor, authors had been granted special access to classified information.
ASIS noted that although it is not bound by the requirements of the Freedom of Information Act 1982, it regularly releases information in response to requests received under section 40 of the Archives Act 1983.
Agency participation in the National Archives of Australia Annual Cabinet Release continued. ASD examined 15 Cabinet records in 2015‑16, agreeing to the release of six without redactions and nine with redactions. ASD also engaged with the National Archives of Australia on one ‘internal reconsideration’ case, in which a previous decision regarding a document being redacted before being released was reviewed under section 42 of the Archives Act 1983. The original decision stood.
The Committee has conducted a thorough review of the administration and expenditure of the six intelligence agencies for the 2015–16 financial year and is satisfied that agencies are overseeing their administrative functions effectively.
Agencies continued to respond to the changing security environment and significant structural changes affected the administration of a number of the agencies. With the support of funding, agencies also invested in a range of new programs and capital projects to enhance their future capacity.
Workforce management continued to be a key focus of agencies in the reporting period. During its review, the Committee received updates on the continuing impact of delays in the finalisation of security clearances for prospective staff. Agencies discussed the strategies they had taken to recruit and retain staff, and to finalise security clearances as efficiently as possible.
In relation to personnel vetted by the Australian Government Security Vetting Agency within Defence, the Committee notes that significant progress has been made since early 2016 to clear the backlog of clearance requests and move towards meeting benchmark timeframes at all levels. It was clear, however, that lengthy delays in the provision of Positive Vetting clearances continued to have an effect on agency recruitment during 2015‑16.
The Committee notes that the ANAO has proposed a new performance audit of Australian Government Personnel Security for commencement during 2016–17, following up the recommendations made in its June 2015 audit of the Central Administration of Security Vetting. Should it proceed, the Committee will closely monitor the outcome of this audit and will continue to inquire this matter during its future reviews.
An independent review of Australia’s intelligence community, conducted by Mr Michael L’Estrange AO and Mr Stephen Merchant PSM, is due to report to the Government in mid-2017. The Committee has met with the reviewers and understands that all six AIC agencies have also engaged with the review. At the time of writing, the report on the review had not yet been released. However, the Committee recognises that the outcomes of the review could have significant implications for the administration, and operation, of the agencies.
The Committee also notes calls from one AIC agency for the IS Act to be reviewed and modernised to account for the changing environment and roles of agencies since the Act was drafted in 2001.
Essential to any changes to the IS Act or other administrative arrangements of the AIC agencies will be ensuring that a high and effective level of oversight is maintained. The IGIS has a key role in this regard in ensuring that each intelligence agency acts legally and with propriety, complies with ministerial guidelines and directives, and acts consistently with human rights. It is therefore essential that the IGIS be sufficiently resourced in any amended regime to be able to perform her role, including by conducting thorough inspections of agency activities. Noting that agencies work in a range of locations, both within Australia and overseas, it will be increasingly necessary for the IGIS to have resourcing for regular inspections in locations outside of Canberra.
Overall, the Committee has not identified any areas of concern within the six intelligence agencies and considers that the administration of the agencies is conducted appropriately.